Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-15 15:34:56 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,65 @@
+# API Reference: Detecting Email Forwarding Rules Attack
+
+## Microsoft Graph API - Inbox Rules
+
+```http
+GET https://graph.microsoft.com/v1.0/users/{user-id}/mailFolders/inbox/messageRules
+Authorization: Bearer {token}
+
+# Response
+{
+  "value": [
+    {
+      "displayName": "Forward invoices",
+      "isEnabled": true,
+      "conditions": {"subjectContains": ["invoice", "payment"]},
+      "actions": {
+        "forwardTo": [{"emailAddress": {"address": "attacker@evil.com"}}],
+        "delete": true,
+        "markAsRead": true
+      }
+    }
+  ]
+}
+```
+
+## Exchange Online PowerShell
+
+```powershell
+# List all inbox rules for a user
+Get-InboxRule -Mailbox user@company.com | FL Name, ForwardTo, RedirectTo, DeleteMessage
+
+# Find forwarding rules across all mailboxes
+Get-Mailbox -ResultSize Unlimited | ForEach-Object {
+    Get-InboxRule -Mailbox $_.UserPrincipalName |
+    Where-Object { $_.ForwardTo -or $_.RedirectTo }
+}
+
+# Search unified audit log for rule creation
+Search-UnifiedAuditLog -Operations "New-InboxRule","Set-InboxRule" -StartDate (Get-Date).AddDays(-30)
+```
+
+## Suspicious Rule Indicators
+
+| Indicator | Severity | Description |
+|-----------|----------|-------------|
+| External forwarding | HIGH | Forwards to non-org domain |
+| Forward + delete | CRITICAL | Forwards then deletes original |
+| Financial keywords | HIGH | Targets invoice/payment subjects |
+| Forward + mark read | HIGH | Hides forwarded messages |
+| Move to RSS/Junk | MEDIUM | Hides messages in unused folders |
+
+## Splunk SPL Detection
+
+```spl
+index=o365 Operation IN ("New-InboxRule", "Set-InboxRule")
+| spath output=forward path=Parameters{}.Value
+| where isnotnull(forward) AND NOT match(forward, "@company\\.com")
+```
+
+## CLI Usage
+
+```bash
+python agent.py --token "eyJ..." --user-id user@company.com --org-domain company.com
+python agent.py --audit-log exchange_audit.log
+```