Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,76 @@
# Detecting Cryptomining in Cloud API Reference
## Detection Signal Categories
| Signal | Source | Indicator |
|--------|--------|-----------|
| Cost spike | AWS Cost Explorer | Sudden EC2/GPU cost increase |
| High CPU | CloudWatch | Sustained >95% CPU utilization |
| Mining ports | VPC Flow Logs | Traffic on 3333, 4444, 14444 |
| DNS queries | GuardDuty / Route53 | Queries to pool domains |
| Process | Runtime Monitoring | xmrig, ccminer, ethminer |
## GuardDuty Crypto Findings
```bash
# List crypto findings
aws guardduty list-findings --detector-id $DET \
--finding-criteria '{"Criterion":{"type":{"Eq":["CryptoCurrency:EC2/BitcoinTool.B!DNS","CryptoCurrency:Runtime/BitcoinTool.B"]}}}'
```
## CloudWatch CPU Alarm
```bash
aws cloudwatch put-metric-alarm \
--alarm-name "HighCPU-Mining" \
--metric-name CPUUtilization \
--namespace AWS/EC2 \
--statistic Average \
--period 300 --threshold 95 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 6 \
--alarm-actions arn:aws:sns:us-east-1:123456:SOCAlerts
```
## AWS Cost Anomaly Detection
```bash
# Create monitor
aws ce create-anomaly-monitor --anomaly-monitor '{
"MonitorName": "EC2CostSpike", "MonitorType": "DIMENSIONAL",
"MonitorDimension": "SERVICE"
}'
# Get anomalies
aws ce get-anomalies --date-interval '{"StartDate":"2024-01-01","EndDate":"2024-01-31"}'
```
## VPC Flow Logs Mining Port Query
```
fields @timestamp, srcaddr, dstaddr, dstport, bytes
| filter dstport in [3333, 4444, 5555, 14444, 45700]
| stats sum(bytes) as total_bytes by srcaddr, dstaddr, dstport
| sort total_bytes desc
```
## Known Mining Pool Domains
```
pool.minexmr.com, xmr.pool.minergate.com, monerohash.com,
xmrpool.eu, supportxmr.com, pool.hashvault.pro,
gulf.moneroocean.stream, rx.unmineable.com
```
## Instance Remediation
```bash
# Terminate mining instance
aws ec2 terminate-instances --instance-ids i-0123456789abcdef0
# Isolate via security group
aws ec2 modify-instance-attribute --instance-id i-xxx --groups sg-isolation
# Snapshot for forensics before termination
aws ec2 create-snapshot --volume-id vol-xxx --description "Mining forensics"
```
@@ -0,0 +1,176 @@
#!/usr/bin/env python3
"""Cloud cryptomining detection agent with multi-signal analysis."""
import json
import subprocess
import sys
from datetime import datetime, timedelta
MINING_PORTS = [3333, 4444, 5555, 7777, 8888, 9999, 14444, 14433, 45700]
MINING_DOMAINS = [
"pool.minexmr.com", "xmr.pool.minergate.com", "monerohash.com",
"xmrpool.eu", "supportxmr.com", "pool.hashvault.pro",
"gulf.moneroocean.stream", "rx.unmineable.com",
]
def aws_cli(args):
"""Execute AWS CLI command and return parsed JSON."""
cmd = ["aws"] + args + ["--output", "json"]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
if result.returncode == 0 and result.stdout.strip():
return json.loads(result.stdout)
return {"error": result.stderr.strip()} if result.returncode != 0 else {}
except Exception as e:
return {"error": str(e)}
def get_guardduty_crypto_findings():
"""Retrieve GuardDuty cryptocurrency-related findings."""
det = aws_cli(["guardduty", "list-detectors"])
detector_id = det.get("DetectorIds", [None])[0]
if not detector_id:
return {"error": "No GuardDuty detector found"}
crypto_types = [
"CryptoCurrency:EC2/BitcoinTool.B!DNS",
"CryptoCurrency:EC2/BitcoinTool.B",
"CryptoCurrency:Runtime/BitcoinTool.B!DNS",
"CryptoCurrency:Runtime/BitcoinTool.B",
"Impact:EC2/BitcoinDomainRequest.Reputation",
]
result = aws_cli([
"guardduty", "list-findings",
"--detector-id", detector_id,
"--finding-criteria", json.dumps({"Criterion": {"type": {"Eq": crypto_types}}}),
])
finding_ids = result.get("FindingIds", [])
if not finding_ids:
return {"count": 0, "findings": []}
details = aws_cli(["guardduty", "get-findings", "--detector-id", detector_id, "--finding-ids"] + finding_ids[:20])
parsed = []
for f in details.get("Findings", []):
inst = f.get("Resource", {}).get("InstanceDetails", {})
parsed.append({
"type": f.get("Type"),
"severity": f.get("Severity"),
"instance_id": inst.get("InstanceId"),
"instance_type": inst.get("InstanceType"),
"region": f.get("Region"),
})
return {"count": len(parsed), "findings": parsed}
def check_high_cpu_instances():
"""Find EC2 instances with sustained high CPU utilization."""
instances = aws_cli(["ec2", "describe-instances",
"--filters", "Name=instance-state-name,Values=running",
"--query", "Reservations[*].Instances[*].[InstanceId,InstanceType,LaunchTime]",
"--output", "json"])
return instances
def create_cost_anomaly_monitor():
"""Create AWS Cost Anomaly Detection monitor for EC2 spikes."""
return aws_cli([
"ce", "create-anomaly-monitor",
"--anomaly-monitor", json.dumps({
"MonitorName": "CryptoMiningCostSpike",
"MonitorType": "DIMENSIONAL",
"MonitorDimension": "SERVICE",
}),
])
def check_cloudtrail_instance_launches(hours=24):
"""Check CloudTrail for unusual instance launch patterns."""
end_time = datetime.utcnow()
start_time = end_time - timedelta(hours=hours)
result = aws_cli([
"cloudtrail", "lookup-events",
"--lookup-attributes", json.dumps([
{"AttributeKey": "EventName", "AttributeValue": "RunInstances"}
]),
"--start-time", start_time.isoformat() + "Z",
"--end-time", end_time.isoformat() + "Z",
"--max-results", "50",
])
events = []
for e in result.get("Events", []):
detail = json.loads(e.get("CloudTrailEvent", "{}"))
events.append({
"time": e.get("EventTime"),
"user": e.get("Username"),
"source_ip": detail.get("sourceIPAddress"),
"region": detail.get("awsRegion"),
"instance_type": detail.get("requestParameters", {}).get("instanceType"),
})
return {"launches": events, "count": len(events)}
def query_vpc_flow_logs_mining(log_group="/aws/vpc/flowlogs"):
"""Query VPC Flow Logs for traffic to mining pool ports."""
port_filter = " || ".join([f"dstport = {p}" for p in MINING_PORTS])
query = f"""
fields @timestamp, srcaddr, dstaddr, dstport, bytes, action
| filter ({port_filter})
| sort @timestamp desc
| limit 100
"""
return aws_cli([
"logs", "start-query",
"--log-group-name", log_group,
"--start-time", str(int((datetime.utcnow() - timedelta(hours=24)).timestamp())),
"--end-time", str(int(datetime.utcnow().timestamp())),
"--query-string", query,
])
def isolate_mining_instance(instance_id):
"""Isolate a mining instance by modifying its security group."""
sg_result = aws_cli([
"ec2", "create-security-group",
"--group-name", f"isolation-{instance_id}",
"--description", "Isolation SG for mining instance",
])
sg_id = sg_result.get("GroupId")
if not sg_id:
return {"error": "Failed to create isolation security group"}
return aws_cli([
"ec2", "modify-instance-attribute",
"--instance-id", instance_id,
"--groups", sg_id,
])
def generate_report():
"""Generate comprehensive cryptomining detection report."""
return {
"timestamp": datetime.utcnow().isoformat() + "Z",
"guardduty": get_guardduty_crypto_findings(),
"recent_launches": check_cloudtrail_instance_launches(),
"known_mining_ports": MINING_PORTS,
"known_mining_domains": MINING_DOMAINS,
}
if __name__ == "__main__":
action = sys.argv[1] if len(sys.argv) > 1 else "report"
if action == "report":
print(json.dumps(generate_report(), indent=2, default=str))
elif action == "findings":
print(json.dumps(get_guardduty_crypto_findings(), indent=2, default=str))
elif action == "launches":
hours = int(sys.argv[2]) if len(sys.argv) > 2 else 24
print(json.dumps(check_cloudtrail_instance_launches(hours), indent=2, default=str))
elif action == "flow-logs":
lg = sys.argv[2] if len(sys.argv) > 2 else "/aws/vpc/flowlogs"
print(json.dumps(query_vpc_flow_logs_mining(lg), indent=2, default=str))
elif action == "isolate" and len(sys.argv) > 2:
print(json.dumps(isolate_mining_instance(sys.argv[2]), indent=2))
else:
print("Usage: agent.py [report|findings|launches [hours]|flow-logs [log-group]|isolate <instance-id>]")