Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,77 @@
# API Reference: Detecting DCSync Attack in Active Directory
## DCSync Replication GUIDs
| GUID | Right |
|------|-------|
| 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes |
| 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes-All |
| 89e95b76-444d-4c62-991a-0facbeda640c | DS-Replication-Get-Changes-In-Filtered-Set |
## Windows Event ID 4662 Fields
```xml
<EventID>4662</EventID>
<Data Name="SubjectUserName">attacker</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="Properties">{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}</Data>
<Data Name="ObjectName">DC=corp,DC=local</Data>
```
## python-evtx Usage
```python
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
xml = record.xml()
# Filter for EventID 4662 with replication GUIDs
```
## Splunk SPL Detection Query
```spl
index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa*", "*1131f6ad*", "*89e95b76*")
| where NOT match(SubjectUserName, ".*\\$$")
| stats count values(Properties) by SubjectUserName Computer
```
## KQL (Microsoft Sentinel)
```kql
SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| project TimeGenerated, SubjectUserName, Computer, Properties
```
## PowerShell - Audit Replication Permissions
```powershell
$domain = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domain"
$acl.Access | Where-Object {
$_.ObjectType -in @(
'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
)
} | Select IdentityReference, ObjectType
```
## Attack Tools Reference
| Tool | Command |
|------|---------|
| Mimikatz | `lsadump::dcsync /user:krbtgt /domain:corp.local` |
| Impacket | `secretsdump.py corp/admin:pass@dc-ip` |
| DSInternals | `Get-ADReplAccount -SamAccountName krbtgt` |
## CLI Usage
```bash
python agent.py --security-log Security.evtx --dc-accounts known_dcs.txt
python agent.py --generate-sigma
python agent.py --check-perms
```
@@ -0,0 +1,177 @@
#!/usr/bin/env python3
"""DCSync attack detection agent for Active Directory environments.
Parses Windows Security Event ID 4662 logs to detect non-domain-controller
accounts requesting directory replication (DCSync technique T1003.006).
"""
import argparse
import json
import re
import sys
from datetime import datetime
try:
import Evtx.Evtx as evtx
except ImportError:
evtx = None
REPLICATION_GUIDS = {
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2": "DS-Replication-Get-Changes",
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2": "DS-Replication-Get-Changes-All",
"89e95b76-444d-4c62-991a-0facbeda640c": "DS-Replication-Get-Changes-In-Filtered-Set",
}
KNOWN_REPLICATION_ACCOUNTS = set()
def load_dc_accounts(filepath):
if not filepath:
return set()
accounts = set()
with open(filepath, "r") as f:
for line in f:
line = line.strip()
if line and not line.startswith("#"):
accounts.add(line.upper())
return accounts
def parse_4662_events(filepath, dc_accounts):
if evtx is None:
return {"error": "python-evtx not installed: pip install python-evtx"}
findings = []
total_4662 = 0
with evtx.Evtx(filepath) as log:
for record in log.records():
xml = record.xml()
if "<EventID>4662</EventID>" not in xml:
continue
total_4662 += 1
props = re.search(r'<Data Name="Properties">([^<]+)', xml)
if not props:
continue
prop_text = props.group(1).lower()
matched_rights = []
for guid, name in REPLICATION_GUIDS.items():
if guid in prop_text:
matched_rights.append(name)
if not matched_rights:
continue
subject = re.search(r'<Data Name="SubjectUserName">([^<]+)', xml)
domain = re.search(r'<Data Name="SubjectDomainName">([^<]+)', xml)
logon_id = re.search(r'<Data Name="SubjectLogonId">([^<]+)', xml)
object_name = re.search(r'<Data Name="ObjectName">([^<]+)', xml)
time_created = re.search(r'SystemTime="([^"]+)"', xml)
computer = re.search(r'<Computer>([^<]+)', xml)
subject_name = subject.group(1) if subject else ""
domain_name = domain.group(1) if domain else ""
full_account = f"{domain_name}\\{subject_name}".upper()
if subject_name.endswith("$"):
if subject_name.upper().rstrip("$") in dc_accounts or \
full_account.rstrip("$") in dc_accounts:
continue
if subject_name.upper() in dc_accounts or full_account in dc_accounts:
continue
is_machine = subject_name.endswith("$")
severity = "HIGH" if is_machine else "CRITICAL"
findings.append({
"event_id": 4662,
"timestamp": time_created.group(1) if time_created else "",
"subject_user": subject_name,
"subject_domain": domain_name,
"logon_id": logon_id.group(1) if logon_id else "",
"computer": computer.group(1) if computer else "",
"object_name": object_name.group(1) if object_name else "",
"replication_rights": matched_rights,
"is_machine_account": is_machine,
"severity": severity,
"mitre": "T1003.006",
"description": "Non-DC account requesting directory replication",
})
return {"total_4662_events": total_4662, "dcsync_detections": findings}
def check_replication_permissions_powershell():
query = """
Import-Module ActiveDirectory
$domain = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\\$domain"
$repl_rights = @(
'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
)
$acl.Access | Where-Object {
$_.ObjectType -in $repl_rights -and
$_.AccessControlType -eq 'Allow'
} | Select-Object IdentityReference, ObjectType, AccessControlType |
ConvertTo-Json
"""
return {"powershell_query": query.strip(),
"note": "Run on a domain controller with RSAT tools"}
def generate_sigma_rule():
return {
"title": "DCSync Activity - Non-DC Replication Request",
"status": "stable",
"logsource": {"product": "windows", "service": "security"},
"detection": {
"selection": {
"EventID": 4662,
"Properties|contains": [
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
]
},
"filter_dc": {"SubjectUserName|endswith": "$"},
"condition": "selection and not filter_dc"
},
"level": "critical",
"tags": ["attack.credential_access", "attack.t1003.006"],
}
def main():
parser = argparse.ArgumentParser(description="DCSync Attack Detector")
parser.add_argument("--security-log", help="Windows Security EVTX file")
parser.add_argument("--dc-accounts", help="File with known DC account names (one per line)")
parser.add_argument("--generate-sigma", action="store_true", help="Output Sigma detection rule")
parser.add_argument("--check-perms", action="store_true",
help="Show PowerShell query for replication permissions")
args = parser.parse_args()
results = {"timestamp": datetime.utcnow().isoformat() + "Z"}
dc_accounts = load_dc_accounts(args.dc_accounts)
dc_accounts.update(KNOWN_REPLICATION_ACCOUNTS)
if args.security_log:
parsed = parse_4662_events(args.security_log, dc_accounts)
if isinstance(parsed, dict) and "error" in parsed:
results["error"] = parsed["error"]
else:
results.update(parsed)
results["total_detections"] = len(parsed.get("dcsync_detections", []))
if args.generate_sigma:
results["sigma_rule"] = generate_sigma_rule()
if args.check_perms:
results["permission_check"] = check_replication_permissions_powershell()
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()